{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33908/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33908"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["dos","imagemagick","xml","cve-2026-33908"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eImageMagick is a widely used open-source software suite for displaying, converting, and editing raster image and vector image files. A critical vulnerability, identified as CVE-2026-33908, affects versions before 7.1.2-19 and 6.9.13-44. This vulnerability stems from the lack of depth limit during recursive processing of XML files via the \u003ccode\u003eDestroyXMLTree()\u003c/code\u003e function. An attacker can exploit this by crafting a malicious XML file with deeply nested structures. When ImageMagick parses this file, the recursive function exhausts stack memory, leading to a denial-of-service condition. Successful exploitation can disrupt services relying on ImageMagick, impacting image processing workflows. The vulnerability was addressed in versions 6.9.13-44 and 7.1.2-19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XML file with deeply nested elements.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted XML file to a system running a vulnerable version of ImageMagick (e.g., via upload, network share, or email attachment).\u003c/li\u003e\n\u003cli\u003eA user or automated process triggers ImageMagick to process the malicious XML file using command-line tools such as \u003ccode\u003econvert\u003c/code\u003e or through a web application using an ImageMagick library.\u003c/li\u003e\n\u003cli\u003eImageMagick begins parsing the XML file and calls the \u003ccode\u003eDestroyXMLTree()\u003c/code\u003e function to free memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDestroyXMLTree()\u003c/code\u003e function recursively traverses the XML tree without a depth limit.\u003c/li\u003e\n\u003cli\u003eDue to the deeply nested structure, the recursive calls consume excessive stack memory.\u003c/li\u003e\n\u003cli\u003eStack memory is exhausted, leading to a stack overflow.\u003c/li\u003e\n\u003cli\u003eThe ImageMagick process crashes, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33908 leads to a denial-of-service condition on the affected system. Services relying on ImageMagick for image processing become unavailable, potentially disrupting critical workflows. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high potential impact on system availability. The number of affected systems depends on the prevalence of vulnerable ImageMagick versions within an organization\u0026rsquo;s infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ImageMagick to version 7.1.2-19 or 6.9.13-44 or later to remediate CVE-2026-33908.\u003c/li\u003e\n\u003cli\u003eImplement file size limits and input validation for XML files processed by ImageMagick to mitigate the risk of malicious file uploads.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eImageMagick_XML_Crash\u003c/code\u003e to detect potential exploitation attempts by monitoring for ImageMagick process crashes.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns of requests with large XML file uploads to identify potential attackers.\u003c/li\u003e\n\u003cli\u003eEnable process crash reporting on systems running ImageMagick to facilitate incident response and investigation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T22:18:02Z","date_published":"2026-04-13T22:18:02Z","id":"/briefs/2026-04-imagemagick-dos/","summary":"ImageMagick versions prior to 7.1.2-19 and 6.9.13-44 are susceptible to a denial-of-service (DoS) attack due to unbounded recursion during XML parsing, potentially leading to stack exhaustion.","title":"ImageMagick XML Bomb Denial-of-Service Vulnerability (CVE-2026-33908)","url":"https://feed.craftedsignal.io/briefs/2026-04-imagemagick-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33908","version":"https://jsonfeed.org/version/1.1"}